CVE-2025-24975 — HIGH (7.1)

Q: How severe is CVE-2025-24975?

CVE-2025-24975 has been rated HIGH with a CVSS base score of 7.1/10. Review the CVSS metrics above for detailed severity breakdown.

Q: Is there a patch for CVE-2025-24975?

Check the references section above for vendor advisories and patch information. Affected products include: Firebirdsql Firebird.

Vulnerability Description

Firebird is a relational database. Prior to snapshot versions 4.0.6.3183, 5.0.2.1610, and 6.0.0.609, Firebird is vulnerable if ExtConnPoolSize is not set equal to 0. If connections stored in ExtConnPool are not verified for presence and suitability of the CryptCallback interface is used when created versus what is available could result in a segfault in the server process. Encrypted databases, accessed by execute statement on external, may be accessed later by an attachment missing a key to that database. In a case when execute statement are chained, segfault may happen. Additionally, the segfault may affect unencrypted databases. This issue has been patched in snapshot versions 4.0.6.3183, 5.0.2.1610, and 6.0.0.609 and point releases 4.0.6 and 5.0.2. A workaround for this issue involves setting ExtConnPoolSize equal to 0 in firebird.conf.

CVSS Score

7.1

HIGH

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L

Attack Vector

NETWORK

Attack Complexity

HIGH

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality

HIGH

Integrity

HIGH

Availability

LOW

Affected Products

Vendor	Product	Versions
Firebirdsql	Firebird	>= 4.0.0, < 4.0.6

Related Weaknesses (CWE)

CWE-754

References

https://github.com/FirebirdSQL/firebird/commit/658abd20449f72097fbbce57e8e6ae42fPatch
https://github.com/FirebirdSQL/firebird/issues/8429Issue Tracking
https://github.com/FirebirdSQL/firebird/security/advisories/GHSA-fx9r-rj68-7p69MitigationVendor Advisory
https://www.vicarius.io/vsociety/posts/cve-2025-24975-detect-vulnerable-firebirdExploitThird Party Advisory
https://www.vicarius.io/vsociety/posts/cve-2025-24975-mitigate-firebird-vulnerabExploitThird Party Advisory

FAQ

What is CVE-2025-24975?

CVE-2025-24975 is a vulnerability with a CVSS score of 7.1 (HIGH). Firebird is a relational database. Prior to snapshot versions 4.0.6.3183, 5.0.2.1610, and 6.0.0.609, Firebird is vulnerable if ExtConnPoolSize is not set equal to 0. If connections stored in ExtConnPo...

How severe is CVE-2025-24975?

CVE-2025-24975 has been rated HIGH with a CVSS base score of 7.1/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2025-24975?

Check the references section above for vendor advisories and patch information. Affected products include: Firebirdsql Firebird.